📊 Full opportunity report: The Hidden Flaws In AI Sovereignty Certification Processes: The 24% Rule Perspective on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

European AI sovereignty certifications, especially SecNumCloud, include a unique 24% ownership cap to ensure legal control. However, this rule has significant limitations, raising concerns about actual sovereignty and compliance. The article explores these flaws and what they mean for providers and users.

European cybersecurity standards for AI and cloud services include a unique ownership control rule—the 24% cap—that aims to ensure legal sovereignty. However, experts warn that this rule alone may not guarantee actual control or immunity from foreign jurisdiction, raising questions about the effectiveness of current certification processes.

The SecNumCloud certification, issued by France’s ANSSI, is a government-backed qualification that requires providers to meet strict criteria, including EU legal domicile, data storage, and audited key custody. The key feature is the ownership cap: foreign companies cannot hold more than 24% of voting rights, or 39% collectively, to qualify. This arithmetic rule aims to prevent foreign control, but experts note it is a brutally difficult standard to meet, with only about a dozen providers holding valid certifications as of mid-2026.

While certifications like ISO 27001 and BSI C5 focus on security practices, they do not address jurisdictional immunity. SecNumCloud, by contrast, explicitly ties sovereignty to ownership and control, making it a unique but challenging benchmark. US-based hyperscalers, unable to meet the control requirements directly, have often created joint ventures to circumvent the rule, such as Thales-Google’s S3NS or Capgemini-Orange’s Bleu.

These arrangements demonstrate that the ownership rule can be manipulated, which raises concerns about its effectiveness in ensuring sovereignty. The certification’s reliance on a simple arithmetic cap does not fully address the complexities of control, especially when control is exercised through legal or operational arrangements.

At a glance
analysisWhen: developing, as of mid-2026
The developmentThe article examines the vulnerabilities of the 24% ownership rule in European AI sovereignty certification processes, highlighting its limitations and implications.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Control Limit on Sovereignty

The 24% ownership cap is central to European efforts to ensure legal sovereignty over data and AI services. However, experts warn that this arithmetic control measure can be bypassed through joint ventures and control arrangements, undermining the very purpose of the certification. This raises questions about whether the current standards truly guarantee immunity from foreign jurisdiction or merely provide a perception of control.

For European governments and organizations relying on these certifications, the flaws could mean continued exposure to legal risks under foreign laws like the CLOUD Act. For providers, the challenge is balancing compliance with sovereignty requirements while maintaining operational flexibility. Ultimately, this debate impacts trust in European certification schemes and the future of AI sovereignty in Europe.

Amazon

European AI sovereignty certification tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Evolution and Challenges of European Sovereignty Standards

European AI and cloud sovereignty standards have evolved amid concerns over foreign control and data security. The SecNumCloud certification, introduced in 2016 and now in referential version 3.2, is a key element of France’s Cloud au Centre doctrine, which mandates its use for sensitive public-sector data. It emphasizes legal sovereignty through strict criteria, including the ownership cap.

Other frameworks like ISO 27001 and BSI C5 focus on security practices but do not address legal jurisdiction. The 24% rule was introduced as a straightforward, arithmetic measure to prevent foreign control, but its simplicity has led to loopholes and creative arrangements by US and non-EU providers.

As of mid-2026, about nine to ten providers hold active SecNumCloud certifications, with several more in pipeline. The certification is increasingly mandated for vital sectors such as health, energy, and finance, making its robustness critical to European sovereignty efforts.

“Meeting the 24% control threshold is extremely difficult, especially for large, multinational providers, making joint ventures the only viable workaround.”

— A provider executive involved in certification

[By Jocko Willink ] Extreme Ownership: How U.S. Navy SEALs Lead and Win (Hardcover)【2018】by Jocko Willink (Author) (Hardcover)

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unresolved Risks of Control Manipulation

It remains unclear how effectively the ownership cap prevents control circumvention via joint ventures or operational arrangements. Experts warn that providers can still exercise significant influence without exceeding the 24% threshold, potentially undermining sovereignty guarantees. The long-term robustness of SecNumCloud in preventing foreign control is an open question, especially as providers develop creative legal structures.

Cybersecurity Audit Essentials: Tools, Techniques, and Best Practices

Cybersecurity Audit Essentials: Tools, Techniques, and Best Practices

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Future Developments in European AI Sovereignty Standards

Regulators and policymakers are likely to revisit the ownership control rules and tighten oversight to close loopholes. The European Commission may introduce more nuanced control measures or additional audits to verify actual influence. Meanwhile, more providers are expected to seek SecNumCloud certification, especially as the standards become mandatory for critical sectors. The debate over sovereignty versus operational flexibility will continue to shape Europe’s AI regulation landscape.

CompTIA Security+ Certification Kit

CompTIA Security+ Certification Kit

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

Why is the 24% ownership rule considered a weakness?

The rule is a simple arithmetic cap that can be bypassed through joint ventures or operational control, which may still allow foreign influence and undermine sovereignty.

How does SecNumCloud differ from other certifications?

SecNumCloud is a government-backed qualification that explicitly ties sovereignty to ownership and control, including legal domicile and immunity from non-EU laws, making it more stringent than security-focused standards like ISO 27001.

Can US companies meet SecNumCloud requirements directly?

Generally no, because US companies cannot meet the ownership control restrictions directly. They often create joint ventures or control arrangements to comply with the 24% rule.

What are the implications for European data sovereignty?

The flaws in the control rule suggest that current standards may not fully guarantee immunity from foreign jurisdiction, raising concerns about true sovereignty in European AI and cloud services.

Source: ThorstenMeyerAI.com

You May Also Like

Browser Fingerprinting: Can You Really Hide?

Keen to uncover whether hiding from browser fingerprinting is truly possible, or if trackers can still find you? Keep reading to find out.

Android Private Compute Core: What It Is

Many users wonder how Android Private Compute Core keeps their data private—discover the secrets behind this secure system.

iPhone 18 Pro ‘Drop Test’ Leaks Get Yanked From X

Leaked videos of the iPhone 18 Pro undergoing a drop test were removed from X after platform rule violations, amid ongoing leaks from supplier breaches.

Security researcher says Microsoft built a Bitlocker backdoor, releases exploit

A security researcher alleges Microsoft embedded a backdoor in BitLocker and has released an exploit, raising concerns over encryption security.